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We investigate the Goldreich-Levin Theorem in the context of quantum information. This 
result is a reduction from the computational problem of inverting a one-way function to the 
problem of predicting a particular bit associated with that function. We show that the quantum 
^ , version of the reduction — between quantum one-way functions and quantum hard-predicates — is 

' quantitatively more efficient than the known classical version. Roughly speaking, if the one-way 

I function acts on n-bit strings then the overhead in the reduction is by a factor of 0{n/e^) in the 

' classical case but only by a factor of 0{l/e) in the quantum case, where ^ -I- e is the probability 

, of predicting the hard-predicate. Moreover, we prove via a lower bound that, in a black-box 

framework, the classical version of the reduction cannot have overhead less than f7(n/e^). 

We also show that, using this reduction, a quantum bit commitment scheme that is per- 
fectly binding and computationally concealing can be obtained from any quantum one-way 
Oh! permutation. This complements a recent result by Dumais, Mayers and Salvail, where the bit 

commitment scheme is perfectly concealing and computationally binding. We also show how to 
C ' perform qubit commitment by a similar approach. 

1 Introduction 

^ . Fast quantum algorithms are potentially useful in that, if quantum computers that can run them 

^ [ are built, they can then be used to solve computational problems quickly. Algorithms can also be 

the basis of reductions between computational problems in instances where the underlying goals 
are different from fast computations. For example, reductions are often used as indicators that 



certain problems are computationally hard, as in the theory of NP-completeness (see |12] and 
references therein). Another domain where reductions play an important role is in complexity- 
based cryptography, where a reduction can show that breaking a particular cryptosystem is as 
difficult (or almost as difficult) as solving a computational problem that is presumed to be hard. 
We investigate such a cryptographic setting where quantum algorithms yield different reductions 



than are possible in the classical case: the so-called Goldreich-Levin Theorem [13|. This result is 
a reduction from the computational problem of inverting a one-way function to the problem of 
predicting a particular hard-predicate associated with that function. Roughly speaking, a one-way 
function is a function that can be efficiently computed in the forward direction but is hard to 
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compute in the reverse direction, and a hard- predicate of a function is a bit that can be efficiently 
computed from the input to the function and yet is hard to estimate from the output of the function. 
We show that the quantum version of the reduction is quantitatively more efficient than the known 
classical version. Moreover, we prove via a lower bound that, in a black-box framework, the classical 
version of the reduction cannot be made as efficient as the quantum version. 

Goldreich and Levin essentially showed that, for a problem instance of size n bits, if their hard- 
predicate can be predicted with probability ^ + e with computational cost T then the one-way 
function can be inverted with computational cost 0{T D{n,e)), where D(n,£) is polynomial in 
n/e. Taken in its contrapositive form, this means that, if inverting the one-way function requires 
a computational cost of ^{T), then predicting the hard-predicate with probability ^ + e requires 
a computational cost of Vl[T / D{n,e)). Note that if we start with a specific lower bound of ^{T) 
for inverting the function then we end up with a weaker lower bound — by a dilution factor of 
D{n,e) — for breaking the hard-predicate. In |14|, it is shown that the dilution factor can be as 
small as 0{n/e^). 

We show that there is a quantum implementation of the reduction where the dilution factor is 
only 0(l/e). We also show that is a lower bound on the dilution factor for any classical 

implementation of the reduction in a black-box framework. In the standard parameterization of 
interest in cryptography, T is assumed to be super polynomial in n and e S l/n^^^\ In this case, 
although 1/e is smaller than n/e^, the diluted computational cost, T/ D{n, e), remains superpoly- 
nomial in both cases. However, there are other parameterizations where the difference between 
the achievable quantum reduction and best possible classical reduction is more pronounced. One 
example is the case where T = and e = 1/n. If we start with a classical one-way function 
that requires a computational cost of Q(n^) to invert and apply the Goldreich-Levin Theorem to 
construct a classical hard-predicate then the reduction implies only that the computational cost of 
predicting the predicate with probability ^ + ^ is lower bounded only by a constant. However, if 
we start with a quantum one-way function that requires a computational cost of f2(n^) to invert 
and apply our quantum version of the Goldreich-Levin Theorem then the computational cost of 
predicting the predicate with probability ^ + ^ is lower bounded by 

A particular application of hard-predicates is for bit commitment. Recall the now well-known 
result that an information theoretically secure bit commitment scheme cannot be based on the 



information-theoretic properties of quantum devices alone 17]. Of course, this is also the case 
with classical devices, though computationally secure bit commitment schemes have been widely 
proposed, investigated, and applied. Such schemes can be based on the existence of one-way per- 
mutations. Most of these proposed one-way permutations are hard to invert only if problems such 
as factoring or the discrete logarithm are hard, and are insecure against quantum computers, which 
can efficiently solve such problems |18|. Recently, Dumais, Mayers and Salvail considered the possi- 
bility of quantum one-way permutations and showed how to base quantum bit commitment on 
them (see also fl^). Their scheme is perfectly concealing and computationally binding, in the sense 
that changing a commitment is computationally hard if inverting the permutation is hard. We 
exhibit a complementary quantum bit commitment scheme that is perfectly binding and computa- 
tionally concealing. As with hard-predicates, the dilution factor in the measure of computational 
security is lower than possible with the corresponding classical construction. Furthermore, a pos- 
sible advantage of our protocol is that the information that must be communicated and stored 
between the parties consists of 0(n) classical bits for bit commitment (and 0{n) classical bits plus 
one qubit for qubit commitment), whereas the scheme in |jll| employs 0{n) qubits. 

The organization of this paper is as follows. In Section |2|, we investigate a simple black-box 
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problem that is related to the Goldreich-Levin Theorem. In Section ^, we give definitions pertain- 
ing to one-way permutations and hard-predicates (classical and quantum versions) and investigate 
the complexity of reductions from the former to the latter (applying results from Section |2|). In 
Section we show how to use the Goldreich-Levin Theorem to construct a perfectly binding and 
computationally concealing quantum bit commitment scheme from a quantum one-way permuta- 
tion. 



2 A black-box problem 

Our results about the Goldreich-Levin Theorem (which are in Section ^) are based on the query 
complexity of the following black-box problem, which we refer to as the GL problem (see, e.g., Q). 
Let n be a positive integer and e > 0. Let a G {0, 1}" and let information about a be available 
only from inner product and equivalence queries, which are defined below in the classical case (and 
later on generalized to the case of quantum information). 

Definition 1 A classical inner product (IP) query (with bias e) has input x G {0, 1}" and outputs 
a bit that is slightly correlated with a ■ x (the inner product of a and x modulo two) in the sense 
that 

Pr[/P(x) = a-x]>l + e. (1) 

X 

The above probability is with respect to a random]^ x G {0, 1}"". 



Definition 2 An quantum equivalence (EQ) query has input x G {0,1}", and the output is 1 if 
x = a and otherwise. 

The goal is to determine a with a minimum number of IP and EQ queries. A secondary resource 
under consideration is the number of auxiliary bit/qubit operations. It should be noted that, when 
e = ^, this is essentially equivalent to a problem that Bernstein and Vazirani |p considered, where 
IP queries return a • x on input x. For this problem, n IP queries are necessary and sufficient 
to solve it classically; however, it can be solved with a single (appropriately defined) quantum IP 
query. (See also fl^.) When e is small — say, e G — an efficient classical solution to this 

problem is nontrivial. The correctness probability of an IP query for a particular x cannot readily 
be amplified by simple techniques such as repeating queries; for some x, IP{x) may always be wrong. 



Goldreich and Levin [13| were the first to (implicitly) solve this problem with a number of queries 
and auxiliary operations that is polynomial in n/e — and this is the basis of their cryptographic 
reduction in Theorem ^. 

We show that any classical algorithm solving the GL problem with constant probability must 
make il(n/e^) queries (for a reasonable range of values of e), whereas there is a quantum algorithm 
that solves the GL problem with 0(l/e) queries. For the quantum version of the GL problem, quan- 
tum IP and EQ queries are defined (in Definitions ^ and ^) as unitary operations that correspond 
to Definitions [l| and ^ in a natural way. We begin with the classical lower bound. 



Unless otherwise specified, a "random" element of a set means with respect to the uniform distribution. 
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Theorem 1 Any classical probabilistic algorithm solving the GL problem with success probability 
6 > requires either more than 2"/^ EQ queries or Q.{5n/e^) IP queries when e > yjn2~'^l'^ . 

Proof: The proof uses classical information theory, bounding the conditional mutual information 
about an unknown string that is revealed by each IP query, in conjunction with an analysis of the 
effect of EQ queries. 

It is useful to consider an algorithm to be successful on a particular input if and only if it 
performs an EQ query whose output is 1 (at which point the value of a has been determined). 
We begin by showing that it is sufficient to consider algorithms (formally, decision trees) that 



are in a convenient simple form. First, by a basic game-theoretic argument |20|, it suffices to 
consider deterministic algorithms, where their input data — embodied in the black-boxes for IP and 
EQ queries — may be generated in a probabilistic manner. Second, it can be assumed that all EQ 
queries occur only after all IP queries have been completed. To see why this is so, start with an 
algorithm that interleaves IP and EQ queries, and modify it as follows. Whenever an EQ query 
occurs before the end of the IP queries, the modified algorithm stores the value of the input to the 
query and proceeds as if the result were 0. Then, at the end of the IP queries, each such deferred 
EQ query is applied. The modified algorithm will behave consistently whenever the actual output 
of a deferred EQ query is 0, and also it will perform (albeit later) any EQ query where the output 
is 1. Henceforth, we consider only algorithms with the above simplifications. 

Now we describe a probabilistic procedure for constructing the black boxes that perform IP 
and EQ queries. First, a £ {0, 1}" is chosen randomly according to the uniform distribution. Then 
a set S C {0,1}" is chosen randomly, uniformly subject to the condition that IS*! = (^ + e)2"' 
(assuming that £2" is an integer). Then 

ip(.) = l'^ (2) 



a ■ X ii X ^ S 



and 



Consider an algorithm that makes m IP queries. If m > bnje^ then the theorem is proven. 
Otherwise, since e > \fn1~'^l'^ ^ we have 



m < 



bn 

7^ 



< (522"/3. (4) 



We proceed by determining the amount of information about a that is conveyed by the applica- 
tion of m IP queries. Let A be the {0, l}"-valued random variable corresponding to the probabilistic 
choice of a G {0, 1}", and let ^1,1^2, • • • ,Ym be the {0, l}-valued random variables corresponding 
to the respective outputs of the m IP queries. Let H be the Shannon entropy function (see, e.g., 
1^]). Then, for each i € {1, 2, . . . , m}, 

H{A\Yi,Y2,... ,Y,) = H{A\Yi,... ,Yi.^) - H{Yi\Yi, . . . ,Yi.i) + H{Yi\A,Yi, . . . ,Yi^i). (5) 

Combining the above equations yields 

m 

HiA\Yi,Y2,... ,Y^) = H{A) + J2iH{Yi\A,Yi, . . . ,Yi_i) - HiYi\Yi, . . . ,Yi^i)) . (6) 

i=l 
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We shall now bound each term on the right side of Eq. ^. Since the a priori distribution of A is 
uniform, H{A) = n. Also, since the entropy of a single bit is at most 1, H(Yi\Yi, . . . < 1 for 

all i £ {1, 2, . . . , m}. Next, we show that, for all i £ {1, 2, . . . , m}, 

H{Y^\A,Yi,... ,Yi.i) > 1-(16/In2)e2. (7) 

To establish Eq. 0, it is useful to view the set S as being generated during the execution of the IP 
queries as follows. Initially S is empty, and when the first IP query is performed on some input x, 
X is placed in S with probability \ + £ and in S with probability \ — £■ The inputs to subsequent 
IP queries are also placed in either or S" with an appropriate probability, which depends on how 
the inputs to previous queries are balanced between S and S. After the execution of the first i — 1 
queries, the input to the i^^ query is placed in S with probability 

2" - (i - 1) ' ^ ' 

where j £ {0, 1, . . . , i — 1} is the number of previous inputs to queries that have been placed in S. 
Using Eq. ^, the above probability can be shown to lie between ^ — 2e and ^ + 2e. It follows that 

H{Yi\A,Yi,... ,Yi^^) > if( 1 + 2e, i - 2e) 

= -(i + 2£) log(i + 2e) - (i - 2e) log(i - 2e) 

> l-(16/ln2)e^ (9) 

establishing Eq. |^. Now, substituting the preceding inequalities into Eq. we obtain 

H{A\Yi,... ,Yra) > n - (16/ln2)me2. (10) 

Intuitively, the IP queries yield information about the value of A in terms of their effect on the 



probability distribution of A conditioned on the values of Yi, . . . ,1^- Eq. 10 lower bounds the 
decrease in entropy possible. 

From the conditions of the theorem, it can be assumed that, after the IP queries, 2"/^ EQ are 
performed. The algorithm succeeds with probability at least 6 only if there exist 2"/^ elements of 
{0, 1}" whose total probability (conditioned on Yi,. . . ,1^) is at least 5. The maximum entropy 
that a distribution with this property can have is for a bi-level distribution, where 2"/^ elements of 
{0, 1}" each have probability 5/2"/^ and 2'"-2"/2 elements each have probability (l-5)/(2''-2"/2). 
Therefore, 

II[A\Yi,... ,YjYi) ^ Il{ 2^/2 ) • • • ) 2"/2 ' 2"— 2"/2 ' ■ ■ ■ ' 2"— 2"/2 ) 

^ V ' V ' 

2"/2 2" — 2"/2 

= H{5, l-5)+S log(2"/2) + {l-S) log(2" - 2"/^) 
< I + 6n/2 + {1 - 6)n 

= n-5n/2 + l. (11) 
Combining Eq. |l^ with Eq. yields m > (ln2)((5n - 2)/(32e2) g ^(dn/e^), as required. I 

We now provide definitions of IP and EQ queries in the quantum case in terms of unitary 
operations. We do this in a manner that is sufficiently general so that, whenever an implementation 
of a more general IP or EQ query is given as a general quantum circuit consisting of elementary 
quantum gates and measurements, a unitary query corresponding to our definition can be efficiently 
constructed from it. 
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Definition 3 A quantum inner product query (with bias e) is a unitary transformation Uip on 
n + m qubits, or its inverse ujp, sucli that Ujp satisfies the following two properties: 

1. If X G {0, l}" is chosen randomly according to the uniform distribution and the last qubit of 
Uip\x)\0"^) is measured, yielding the value w S {0, 1}, then Fr[w = a ■ x] > + e. 

2. For any x £ {0, 1}" and y £ {0, 1}™, the state of the first n qubits of Ujp\x)\y) is \x). 

The first property captures the fact that, taking a query to be a suitable application of Ujp followed 
by a measurement of the last qubit, Eq. || is satisfied. Any implementation of a quantum circuit 
that produces an output that is a-x with probability on average ^ + e can be modified to consist of 
a unitary stage Ujp followed by a measurement of one qubit. The second property is for technical 
convenience, and any unitary operation without this property can be converted to one that has 
this property, by first producing a copy of the classical basis state |x). Moreover, given a circuit 
implementing Ujp, it is easy to construct a circuit implementing uJp. 

Definition 4 A quantum equivalence query is the unitary operation Ueq such that, for all x E 
{0,1}" and b G {0,1}, 

where b = 

For the quantum GL problem, a G {0, 1}" and information about a in available only from 
quantum IP and EQ queries and the goal is to determine a. We can now state and prove the result 
about quantum algorithms for the GL problem (which is similar to a result in |^ in a different 
context). 

Theorem 2 There exists a quantum algorithm solving the GL problem with constant probability 
using 0{l/e) Ujp, Ujp and Ueq queries in total. Also, the number of auxiliary qubit operations 
used by the procedure is 0{n/e). 

Proof: The proof is by a combination of two techniques: the algorithm in Q for the exact case 
(i.e., when e = which is shown to be adaptable to "noisy" data in |^ (with a slightly different 
noise model than the one that arises here) ; and amplitude amplification |l5|, |6| . 

Since Ujp applied to \x)\y) has no net effect on its first n input qubits, for each x G {0, 1}", 

C//p|x)|0'") = \x) {a^\v^)\a ■ x) + (3:,\w^)\-a^)) , (13) 

where ax and are nonnegative real numbers, and \vx) and l^^,.) are m — 1 qubit quantum states. 
If the last qubit of Ujp\x)\Q'^) is measured then the result is: a-x with probability a^, and a ■ x 
with probability 0^. Therefore, since, for a random uniformly distributed x G {0, 1}", measuring 
the last qubit of C//p|x)|0™') yields a ■ x with probability at least ^ + e, it follows that 

^ al > l + e (14) 

a;e{0,l}" 

2^ < i-e. (15) 

a;e{0,l}" 
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Now, consider the quantum circuit C in Figure ||. 



n qubits < 



H 



H- 



H 



m qubits < 



UiP 



X 



-H — 



U, 



IP 



H 



H 



Z 



Figure 1: Quantum circuit C. 

We will begin by showing that (0,0*", 1|C|0", 0™, 0) is real-valued and 

(a,0™,l|C7|0",0'",0) > 2e, (16) 

which intuitively can be viewed as an indication of the progress that C makes towards finding the 
string a. To establish Eq. 16, note that the operation C can be decomposed into the following five 
operations: 

1. Operation Ci: Apply H to each of the first n qubits, and a NOT operation to the last qubit. 

2. Operation C2: Apply Uip to the first n + m qubits. 

3. Operation C3: Apply a controlled-Z to the last two qubits. 

4. Operation C4: Apply U^p to the first n + m qubits. 

5. Operation C5: Apply H to each of the first n qubits. 

Since (a, 0™, 1|C|0", O'", 0) = (a, O'", IIC5C4C3C2C1IO", O'", 0), the quantity (a, 0™, 1|C|0", 0*^, 0) is 
the inner product between state C3C2Ci|0")|0"')|0) and state C|c] | a) |0™)|1). These states are 

C3C2Ci|0«)|0-)|0) = ^3^2^ I^)|0")|1) 

x6{0,l}" 

" ^ \x) {a^\v^)\a- x) + (3^\w,j,)\'a^))\l) 

= k)K(-ir"bx)|a-x) + /3x(-l)^k,>|a^))|l) 

a;e{0,l}" 

= ^ (-ir"k)Kbx>|a-x)-/3,|t/;,)|aTx))|l) (17) 

a;e{0,l}" 
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and 



C\cl\a)\^-^)\l) = Cl^ (-iri^)|0'")|l) 

xe{o,i}" 

= ^ E {-^T"\x){a^\v^)\a-x)+(3^\w^)\-a^))\l). (18) 

a:e{0,l}" 



It follows from Eq. 17 and Eq. O (and using the fact that {x\y) = whenever x ^ y) that 



(a,0-,l|C|0",0™,0) = ^ 

xe{o,i}" 



= 2e, (19) 

which establishes Eq. |l^. 

Note that Eq. [l| implies that, if C is executed on input |0")|0™)|0) (= |0", 0"", 0)) and the result 
is measured in the classical basis, then the first n bits of the result will be a with probability at 
least |(a, O™', IICIO", 0™-, 0)p > Ae^ . Therefore, if this process is repeated 0(l/e^) times, checking 
each result with an EQ query, then a will be found with constant probability. A more efficient way 
of finding the value of a is to use amplitude amplification |5|, |l^, ^ using the transformation C and 
its inverse C'^ in combination with EQ queries. The procedure is to compute (for various values of 
k) 

(-CC/oC7t[/^Q)fcC7|0",0'",0) (20) 

(where Uq = I — 2|0", 0™, 0)(0", 0™, 0|), measure the state, and perform an EQ query on the result. 
Such a computation consists of 0{k) Ujp, Ujp, and Ueq queries. As shown in [^, if this is carried 
out for a suitably generated sequence of values of k, the expected total number of executions of C, 
, and Ueq until a successful EQ query occurs is 0(l/e). This implies that 0(1/ e) Uip, ujp, and 
Ueq are sufficient to succeed with constant probability. I 



3 Hard-predicates from one-way permutations 

In this section, we give definitions pertaining to one-way permutations and hard-predicates (classical 
and quantum versions) and investigate the complexity of the reduction of Goldreich and Levin |jl^ 
from the former to the latter.^ 

In the definitions below, when we refer to the size of a classical [quantum] circuit, it is understood 
to be relative to a suitable set of gates on one and two bits [qubits]. Quantum circuits compute 
unitary transformations on quantum states; however, they can also be adapted to take classical 
data as input and produce classical data as output. For a quantum circuit C acting on ni qubits, 
and X G {0, 1}" (for n < m), let Ck{x) {k G {1, . . . , m}), denote the result of measuring the first k 
qubits of C|x)|0™'~") in the classical basis. The subscript k may be omitted when the value of k is 
clear from the context. 

^The reduction makes sense for functions that are not permutations, but we restrict attention to permutations for 
simplicity. 
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Intuitively, a quantum one-way permutation f on n bits is easy to compute in the forward 
direction but is hard to invert^. For the former property, the standard requirement is that / be 
computable by a uniform circuit of size n'-^^^^ (though it is also possible to impose other upper 
bounds on the uniform circuit size). To quantify the latter property, it is helpful to first make the 
following definition. 

Definition 5 A permutation / : {0,1}" {0,1}" is classically [quantumly] {6,T)-hard to invert 
if there is no classical [quantum] circuit C of size T such that Pra[C(/(a)) = a] > 5. 

Now the standard requirement for the hard-to-invert condition is that / is {6, T)-hard to invert 
for all 6 G 1/^*^(1) and T G n'^^^ (a gain, other bounds can be imposed). It should be noted 
that, although it may be hard to determine a from /(a), it may not be hard to extract partial 
information about a from /(a). For example, it is conceivable for a one-way permutation / to have 
the property that half of the bits of a can be efficiently determined exactly from /(a). It is also 
conceivable that each individual bit of a is efficiently predictable from /(a) with probability |. The 
idea behind a hard-predicate [Q| is to concentrate the information that a one-way function "hides" 
about its input into a single bit. Intuitively, h : {0, 1}" — > {0, 1} is a hard-predicate of / if, given 
a G {0, 1}", it is easy to compute h{a); whereas, given /(a) for randomly chosen a G {0, 1}", it is 
hard to predict the value of the bit h{a) with probability significantly better than ^. One natural 
way of quantifying how well a circuit predicts the value of h from the value of / is by the amount 
that Pra[C(/(a)) = h{a)] exceeds i. 



The hard-predicate defined in | IS ] is 

h{y,x) = y-x, (21) 

(the inner product modulo two of x and y), for (y, x) G {0, 1}" x {0, 1}". This is not a hard-predicate 
of /, but for a slightly modified version of /, as given in the following definition. 

Definition 6 For a permutation / : {0, 1}" —>■ {0, 1}", let / denote the permutation / : {0, 1}" x 
{0, 1}" ^ {0, 1}" X {0, 1}" defined as 

fiy,x) = if{y),x), (22) 

for all {y,x) G {0,1}" x {0,1}". 

Note that the cost of computing [inverting] / is essentially the same as the cost of computing [invert- 
ing] /. Goldreich and Levin showed that if / is one-way then h is hard to predict from /. Instead of 
quantifying how well a circuit predicts h from / as the amount by which FT:y^x[C{f{y, x)) = h{y, x)] 
exceeds ^, we adopt a slightly more complicated definition. This definition is related to the above, 
but is better suited for expressing the results in this section. 

Definition 7 A circuit C (6, e) -predicts h from f if 

Pr[Pr[C(/(y, x)) = h{y, x)] > ^ + e] > 6. (23) 

y X 

To explain Eq. 23 in words, call y G {0,1}" e-good if Fix[C{f{y,x)) = h{y,x)] > ^ + e ioi that 



value of y. Then then Eq. 23 is equivalent to saying that PiCy[y is e-good] > 5. 



^The reversibility of quantum computations does not exclude this possibility 
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The following lemma, which relates the two measures of prediction, is straightforward to prove by 
an averaging argument. 

Lemma 3 If Pvy x[G{f {y, x)) = h{y,x)] > ^ + e then G (e/(l — e), e/ 2) -predicts h from f. 

Note that, i{Fry^.^[G{f{y,x)) = h{y,x)] > i + l/n^^^) then G (l/n^(i), l/n^(i))-predicts h from /. 
The classical Goldreich-Levin Theorem can be stated as follows. 

Theorem 4 ([jl3|, |l|]) If / : {0, 1}" ^ {0,1}" is classically {6/2,T)-hard to invert then any 
classical circuit that {6, e) -predicts h from f must have size iliTe^ /n). 

The proof of this theorem is essentially a reduction from the problem of inverting / to the problem 
of (J, e)-predicting h. One begins by assuming that a circuit G of size oiTe^/n) (5, e)-predicts 
h from / and then shows that, by making 0{n/e'^) calls to both G and / (plus some additional 
computations), / can be inverted with probability 5/2 |]l^. The total running time of the inversion 
procedure is o{{n/e'^){Te^ /n)) = o{T), contradicting the fact that / is ((5/2, T)-hard to invert. 
Our quantum version of the Goldreich-Levin Theorem is the following. 

Theorem 5 If / : {0, 1}" — > {0, 1}*^ is quantumly {5/2, T)-hard to invert then any quantum circuit 
that (5, e) -predicts h from f must have size i}{Te). 

Proof: As in the classical case, the proof is essentially a reduction from the problem of inverting 
/ to the problem of {5, e)-predicting h. Let b = f{a) be an input instance — the goal is to determine 
a from b. We will show how to simulate EQ and IP queries in this setting and then apply the 
bounds in Theorem |2|. It is easy to simulate an EQ query (relative to a) by making one call to / 
and checking if the result is b. Suppose that there exists a circuit G of size o{Te) that {5, e)-predicts 
h from /. Thus, FTy[PTx[G{f {y, x)) = h{y,x)] > ^ + e] > 6. Note that, with probability at least 
5, a is e-good, in the sense that Prx[G{f{a,x)) = h{a,x)] > ^ + e. When a is e-good, computing 
G{f(a,x)) = G{b,x) is simulating an IP query for x (relative to a). It follows from Theorem ^ 
that a can be computed with circuit-size o((l/e)(Te)) = o(T) with success probability at least 5/2 
(where 1/2 is the success probability of the algorithm that finds a when a is e-good and 5 is the 
probability that a is e-good to begin with). This contradicts the (5/2, T)-hardness of inverting /, 
thus G cannot (5, e)-predict h from / and be of size o{Te). I 

To conclude this section, we give a proof that Theorem ^ cannot be improved quantitatively 
assuming that it follows the structure of making calls to / and to an algorithm G that {5, e)- 
predicts h from /. More precisely, the setting is as follows. For a permutation / : {0, 1}" 
{0, 1}"', information is available from two types of black-box queries: /-queries that evaluates 
/; and G-queries that {5, e)-predict h from /. More precisely, a G-query has the property that 
FTy[FTx[G{f{y,x)) = h{y,x)] > ^ + e] > 5. A problem instance is 6 G {0, 1}" (where b = f{a) for 
a random a G {0, 1}") and the availability of /-queries and G-queries. The goal is to determine a 
with probability 5/2 (say). Let us refer to this as the GL* problem (related to but different from 
the GL problem defined in Section Q). From the proof of Theorem^, the classical GL* problem can 
be solved with 0{n/e^) /-queries and G-queries (and 0(n^/e^) auxiliary operations [0]). From 
the proof of Theorem |5|, a quantum version of the GL* problem can be solved with only 0{l/e) 
/-queries and G-queries (and 0{n/e) auxiliary operations). The next theorem essentially implies 
that the dilution factor n/e^ in Theorem]^ cannot be reduced for a reasonable range of values of e. 
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Theorem 6 The classical GL* problem requires either 0(2"/^) f -queries or 0(n/e^) G-queries, 
whenever e > y^2~"/'^. 

Proof: The idea behind the proof is show that, starting with an algorithm that solves the GL* 
problem using Tj /-queries and Tq G-queries, it is possible to simulate each /-query with one 
EQ query and to simulate each G-query with one IP query and one EQ query. The result is an 
algorithm that solves the GL problem defined in Section ^ with Tq IP queries and Tj + Tq EQ 
queries. Then, applying the bound in Theorem |l|, yields the required lower bounds. 

By a basic game-theoretic argument [^0|, it suffices to consider deterministic algorithms, where 
the input data — embodied by 6, /, and G — are generated in a probabilistic manner. Let a £ {0, 1}" 
be chosen randomly, / : {0, 1}" — > {0, 1}"" be a random permutation (chosen uniformly among the 
2"! possibilities), and b = f{a). The function G is generated with the following property: for any 
y, with probability at least 5, the condition Frx[G{f{y,x)) = h{y,x)] > ^ + e holds. This property 
implies Prj,[Pr,[G(/(y,x)) = h{y,x)] >^ + e]>6. 

The above probability distribution for b, /, and G can be generated in a number of ways, 
including ways where the determination of parts of / is deferred until the course of the execution 
of the algorithm solving the black-box problem. To illustrate this, first consider an algorithm that 
uses only /-queries. It is possible to generate / : {0, 1}" — > {0, 1}" randomly, choose a £ {0, !}"■ 
randomly, and set b = f{a). But this is stochastically equivalent to choosing a G {0, 1}" randomly, 
b G {0, 1}" randomly and then, whenever an /-query with input x £ {0, 1}" occurs, doing the 
following. If X = a then return b; if x has already occurred as the input to an /-query then return 
the same value that was returned previously; otherwise, return a random element of {0, 1}"' that is 
different from b and from any values that have been returned from previous /-queries. The above 
supposes that the value of a is available. If b is available but information about a is available only 
via EQ queries then, in the above procedure, checking whether x = a can be replaced by performing 
the query EQ{x). It is helpful to think about implementing the above process by building up a table 
of values of /, initially empty. When an /-query with input x occurs, an EQ query is performed. If 
EQ{x) = 1 then b is returned; otherwise, if the table has a value z in position x then z is returned; 
otherwise, a random w G {0, 1}" that is different from b and not in the table is inserted into position 
X in the table and w is returned. This is the manner in which an /-query can be simulated by an 
EQ query. 

In a similar spirit, we can show that G-queries can be incorporated into this scenario and 
simulated by IP queries and EQ queries. Prior to the execution of the algorithm, a flag bit s is set 
to 1 with probability 5 and to with probability 1 — 6. Let the input to a G-query be {y,x). If 
y = b and s = 1 then an IP query is performed and the result is returned. li y = b and s = then 
a random bit is returned. \i y ^b and y occurs in the table at position z then h{z, x) is returned. 
li y ^ b and y does not occur in the table then y is placed in a random empty position z in the 
table for which EQ[z) ^ 1 and h{z,x) is returned. In this manner, a G-query can be simulated by 
at most one IP query and one EQ query. 

What results from the above is a method of converting an algorithm that solves the GL* problem 
with Tf /-queries and Tq G-queries with success probability at least 5/2 into one that solves the 
GL problem with Tq IP queries and Tj +Tq EQ queries with success probability 6/2. Conditioned 
on s = 1, this algorithm for the GL problem must succeed with constant success probability unless 
Tf G r2(2"/^). Therefore, by the lower bounds in Theorem 0, we have that Tf G 0(2"/^) or 
Tq G Q{n/e'^), as required. I 



11 



4 Quantum bit commitment from quantum one-way permutations 

In this section, we show how to use the quantum Goldreich-Levin Theorem to construct a quantum 
bit commitment scheme from a quantum one-way permutation. 

Definition 8 A permutation / : {0, 1}" {0, 1}"" is a quantum one-way permutation if: 

• There is a uniform quantum circuit of size n'^^^^ that computes /(x) from x. 

• / is quantumly (5, r)-hard to invert for any 5 £ and T G n'-'^^\ 

Theorem 7 If there exists a quantum one-way permutation f : {0, 1}" {0, 1}" then there exists 
a bit [or qubit] commitment scheme that is perfectly binding and computationally concealing, in 
the sense that the committed bit cannot be predicted with probability ^ + by a circuit of 

size n^^^\ 

Proof: From Theorem ^, it is straightforward to construct a quantum bit commitment scheme 
from Ahce to Bob based on a one-way permutation / as follows (where h{y,x) = y ■ x). 

Bit-commit Let z G {0, 1} be the bit to commit to. Alice chooses a,x G {0, 1}" randomly, and 
sets c = z © h{a, x). Alice computes b = f{a) and sends (6, x, c) to Bob. 

Bit-decommit Alice sends a to Bob. Bob checks if /(a) = b and rejects if this is not the case. 
Otherwise, Bob accepts and computes c © h{a, x) as the bit. 

Since / is a permutation there is at most one classical value of a that is an acceptable decom- 
mitment of Alice's bit. This implies that the scheme is perfectly binding to Alice. Note that the 
model could be relaxed to permit Alice to send quantum data to Bob, by adjusting Bob's protocol 
to immediately perform a measurement (in the classical basis) on any data that he receives from 
Alice. There would be no advantage to Alice — she could not somehow "commit to more than 
one value" by sending commitments in superposition. This is because the adjusted protocol is 
equivalent to one where Alice performs the measurement herself on any data before sending it to 
Bob. 

Theorem |5| implies that the scheme is also computationally concealing, since any n'^^^^-size 
circuit that enables Bob to guess z from (J},x,c) with probability ^ -|- l/n'^^^^ can be converted to 
a n'^*^^)-size circuit that inverts / with probability l/n'^^^\ violating the fact that / is one-way. 

Finally, we explain how a qubit commitment scheme can be constructed using some of the ideas 
in [Q]. Recall the standard notation for the Pauli matrices: 

X = cT.= (° J) and Z = a,= (^l J ) . (24) 

Qubit-commit Let |^) be the qubit to commit to. Alice chooses ai,a2,xi,X2 G {0, 1}" randomly, 
and constructs the state IV'') = X^^'^'^'^'^^ Z^^"'^'^^'^\ip) and also computes bi = f{ai) and 
^2 = /(o2)- Alice sends dV'')) ^i? ^2; xi, X2) to Bob. 

Qubit-decommit Alice sends 01,02 to Bob. Bob checks if /(ai) = 61 and /(a2) = 621 rejecting if 
this is not the case. Otherwise, Bob accepts and computes Z^^'^'^'^'^^ X^^'^^'^'^^\il)') as the qubit. 
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Clearly, the scheme is perfectly binding. Intuitively, the scheme is computationally concealing, 
because h{ai, xi) and h{a2,X2) "look random" to Bob. If Bob can use his information to efficiently 
significantly distinguish between the qubit that he receives from Alice in the commitment stage 
and a totally mixed state (density matrix then this procedure can be adapted to distinguish 
between the pair of bits ri = h{ai,xi) and r2 = h{a2,X2) and a pair of truly random bits, which 
would lead to a procedure that violated the result proven in Theorem ^. I 
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